Many communication systems of today, including mobile communication systems, paging systems, as well as wireless and wireline data networks, employ authentication and encryption procedures for the purpose of improving system security and robustness.
In mobile communication systems, for example, users authenticate towards the network and/or service providers in order to gain access to the network services and the authentication also serves as a base for billing the users. The basic security protocol of modem communication systems normally involves a challenge-response authentication procedure, most often based on secret key cryptography. Challenge-response authentication is well known in the art and several standards on basic challenge-response authentication exist, e.g. for GSM (Global System for Mobile Communications) and UMTS (Universal Mobile Telecommunications System) networks.
As illustrated in FIG. 1, a typical scenario in a modern communication system not only involves the user and the authentication center to which the user is associated, but also an intermediate party, such as a separate network operator or other service provider. Typically, the authentication center is related to a home operator with which the user has a trust relation, for example established through a subscription or a pre-paid account. This established trust relation is typically manifested in a cryptographic relationship, for example through a shared secret key (symmetric cryptography). The home operator authentication center, or more specifically the home network operator may have a service agreement with the intermediate party, which agreement is typically manifested by a similar cryptographic relationship. However, the relationship between the user and the intermediate party is normally regarded as an induced trust relationship, which is established when the services offered by the intermediate party are requested or otherwise initiated.
FIG. 2 is a schematic diagram of a typical prior art challenge-response authentication procedure involving a user, an associated home operator authentication center and an intermediate party. For example, the conventional AKA (Authentication and Key Agreement) process used in communication systems such as GSM and UMTS networks includes a challenge-response procedure based on a secret key. The secret key, denoted Ki, is normally the subscription key associated with a user-operator subscription or a key derived therefrom. The intermediate party may for example be a network node managing a network into which the user is roaming or other type of service provider offering services in relation to the user.
For authentication of a given user at the intermediate party, the user is normally requested to send a user ID to the intermediate party, which in turn forwards this ID to the home operator authentication center in a request for authentication data. In order to assist in the authentication of the user, the home authentication center generates an expected response XRES based on the secret key Ki associated with this particular user and a random challenge RAND as input to a given function g. Normally, the authentication center may also generate additional information such as a confidentiality key, integrity key and authentication token. In GSM AKA, no integrity key or authentication token is used, but the basic challenge-response procedure is the same. The challenge RAND and the expected response XRES, together with additional information, are sent to the intermediate party, which wants to authenticate the user. The intermediate party forwards the challenge RAND, and possibly the authentication token, to the user. The user, preferably with the help of a subscriber identity module (SIM or USIM), generates a response RES based on the shared secret key Ki (securely stored in the SIM or USIM) and the received challenge RAND as input to the same function g as used by the authentication center. The user then sends the response RES back to the intermediate party. To authenticate the user, the intermediate party simply verifies that the response RES received from the user equals the expected response XRES received from the authentication center.
The transmission of authentication parameters between the authentication center and the intermediate party may be cryptographically protected. In UMTS, for example, the security protocol MAPSec may be used. The MAPSec protocol has been standardized in 3GPP, but not yet deployed.
It is normally required that it should be possible to pre-distribute authentication data and that it should be possible to perform the authentication procedure later without renewed contact with the authentication center.
There are two main threats to the above basic challenge-response authentication procedure. The first threat is that a dishonest intermediate party, such as a separate network operator or other service provider, may request authentication data from the authentication center and later falsely claim that a user has been roaming into the network or otherwise used offered services, and finally request payment for the services. The authentication center can not ask for any supporting proof as the systems of today do not support such a function.
The second threat is that authentication parameters may be intercepted when sent from the authentication center to the intermediate party, or read from a hacked node of the intermediate party. The stolen authentication parameters may then be used to fraudulently authenticate as the user to whom the parameters are associated. Such an attack relies on the ability to steal the authentication data and use them before the real user does. For example, such an attack is possible when a user is roaming between networks and authentication parameters are stored, for later use, in the network that the user is leaving.